Thycotic’s Cyber Security Publication

Privileged Access Management Compliance Through the Eyes of an Auditor

January 8th, 2019

Compliance audits are a stressful, time-consuming effort for many companies. In the Lockdown blog, we often talk about the tools and processes customers use to prepare for both internal and external information security audits. This time we thought we’d turn the tables and speak directly to an auditor to hear his perspective.

In this post, auditor and Information Security Specialist Edgar Perez Espinosa shares what’s on his security audit checklist and what really goes through his mind when he’s conducting an information security audit.

Thycotic: How prepared are companies you audit?

Auditor: There is not much advance notice in terms of process. Basically, companies focus more on investing in the “new generation” tools for increasing security and account management, but 70% of them lack a complete lifecycle to dispose accounts correctly.

50% of the time companies do not properly understand the scope of the audit

Thycotic: How long do you spend on an audit?

Auditor: Usually audits take from two weeks to one month. It will depend on the scope of the audit.

Thycotic: What frustrates you the most about auditing organizations?

Auditor: What is most frustrating about security audits is that 40% of companies repeat the same missing controls: updated inventories (hardware and software), vulnerability management and monitoring of PAM. That makes our work easy, as the findings repeat, but it continues to be a risk for them.

Thycotic: What do you enjoy the most?

Auditor: What I enjoy the most is the fact that companies trust in our advice as experienced auditors, not only to find missing controls but to understand what really works for different companies. I like when Directors understand the risk for their organizations and they thank you for having made them conscious about that.

Thycotic: With respect to privileged accounts, what type of security controls do you expect to see?

Auditor: First of all, I like to see the inventory of privileged accounts, who is responsible and the process of assigning one of them. Then, in practice, what I usually look for is the workflow of real-time use of a privileged account and how it’s used, authorized, monitored, logged and disposed.

Thycotic: How often do you see companies that do not achieve what is required of an audit?

Auditor: I might say that 50% of the time companies do not properly understand the scope of the audit, and do not even know their internal process and that is a big mistake. Audits are conducted to improve the security posture, but you should know your risks and define plans to minimize them.

Thycotic: In what areas do you see most companies fall short? Why do you think that is?

Auditor: Based on experience, the top three domains where companies fall short are:

Risk Management (mainly because strategically this has not been properly understood)

Secure Software Lifecycle (usually because they focus on functionality instead of security by design)

Incident Management (they respond to incidents but they do not know how to manage outside the organization and how to disclose breaches appropriately)

Thycotic: What would you recommend to any company to be better prepared for a security compliance audit?

Auditor: In my opinion, my best advice is do not fear audits. They should be seen as part of an improvement process. Instead, think of audits like a health check. How would you know if you have a disease if you don’t visit your doctor?

Jordan True

Jordan is a social media strategist, digital community manager and a lover of all things IT. She currently manages the Social Media Program at Thycotic and loves to connect with technology communities online and at enterprise IT events. Addicted to the outdoors, you can find Jordan on the running trails in her free time or sharing the latest InfoSec buzz on Twitter @ThycoticJordan.